TROJANS: FOLDER OPTIONS folder Missing/Sys Restore won't work? ADMIN requirement shows up on its own

My AVG found several Trojan infections hiding in C/DOC& SETTINGS/Me/( in a
Hidden FOLDER) TEMP*** over the last couple of days.
There were also some in SYS32 in a Hidden file. I used AVG to remove them.
I also found one on my own (PIDLE.EXE ?) and deleted that too.
I ran WIN ASO (regedit program as I have in the past without problems and
had it FIX the found entries..Never had a problem with that before)

I had the FOLDER OPTIONS menu set to SHOW hidden /system files since I'm the
only user here. I could access these HIDDEN folders no problem yesterday
and all prior.

I ve never used/set up ADMIN privileges on this computer/ I never had any
problem accessing MSCONFIG or REGEDIT before.

Things were acting up a little today so I ran AVG again and it showed MORE
TROJAN .TMP files again in the HIDDEN window, said AVG.

**BTW, I got a POP-UP window 2-3 X over the last few days and earlier today
that said my AVG 8.0 needed to be U'G to 8.5 . After ignoring it several
times, I clicked the UPGARDE tab today. That may have been a mistake ( it
did DL something but didnt upgrade..just put another file in the HIDDEN TEMP
folder mentioned above**

Tonite after AVG ran again, I tried to open the *** TEMP window to see what
else had shown up there besides the 5 TROJAN hits AVG told me about, I found
that all the previously NOT HIDDEN folders were now gone (HIDDEN). There
was a reference at the bottom "12 folders (9hidden)"

I went to C/My docs etc and tried to change the FOLDER (hidden) OPTIONS but
there was no line there in Either VIEW or TOOLS.
I went to CONTROL PANEL and found the FOLDER OPTIONS folder had vanished
from there too.

I googled "FolderOptions disappeared" and one reply said to go thru REGEDIT
to:
HKEY_Current_User\Software|Microsoft\Windows\CurrentVersion\Poli|Explore to
set the word to "0" or delete it (something like that anyway, I cant read
what I wrote..)

Anyway, now I get a RED X saying that NOW I need "ADMIN OK" to access
REGEDIT..Tried to run SYS Restore..several points..wont work, just sits
there, so I RESTORED everything that WIN ASO "fixed" yesterday..no luck.

So in a nutshell,
1. I can't access the FOLDER OPTIONS folder as it has vanished-so I can't
SEE my Hidden folders
2. I can't access RUN>regedit as somehow I'm not a (NEVER set up)
ADMINISTRATOR
3. I can't do a SYS RESTORE (tried many "points") it just sits there
4. The TROJANS just keep on coming

help..

Try downloading and running Trojan Remover
Update it , and run it (disconnect the internet connection whilst trying to
get rid of the virus.)
Then re-install the antivirus ( yes the virus will corrupt the antivirus
software to stop it working)
Run the new version of the antivirus.
(It helps if you have a spare computer - ( a laptop or evan an old PC) just
to download fresh copies of the software. I then used a USB memory stick to
copy the software across and installled it from there)
That should get the folder options working again ( Trojan remover will
identify that 'folder options' is turned off and allow you to click a button
to get them back.Can't remember what it says but its something like
'administrator priveledges restricted' -restore Y or N
The bad news is I think you will have lost the files to RESTORE the
computer, or at least they are so corrupt, its better to turn off the
restore feature, untill you have cleared it.
Run Trojan Remover and your antivirus till they both do a clean sweep.
Reset the computer to SAFE MODE and do a TR and AV search (separately) .
Repeat till they are not finding anything.
Reset back to normal mode, and re-run the TR and AV software just in case.
When clean turn restore back on.
The important thing is to re-install the antivirus software-the virus has
almost certainly corrupted the original to stop it finding it.

Start with the following pair...

Malwarebytes Anti-Malware

SuperAntiSpyware

UPDATE:

I restarted in SAFE MODE and was able to get in as ADMINISTRATOR.
From there I was able to go to two places:

1. REGEDIT where (as advised on an internet HELP site) I went to

HKEY_CURRENT_USER\software\Microsoft\Windows\Current
Version\Policies\Explorer .. where I was (as instructed) able to

"Set the DWORD" in 'No Folder Options' to "0" (zero). It was (145)

This, according to the website should have resulted in the FOLDERS OPTIONS
re=appearing in my CONTROL PANEL after a (normal) restart.

That didnt work.. The FOLDER is still missing in Control Panel as it is the
FOLDER OPTIONS Line *Missing* under: My Documents/TOOLS/ after a normal
restart.

2. In SAFE MODE, I easily found CONTROL PANEL/FOLDER OPTIONS where it
belonged, it worked fine and i was able to VIEW the HIDDEN FOLDER:
C/Documents&Settings/MyName/Local Settings/TEMP.

But Even after I had just run AVG (about 20 min before), after the restart,
I again found in there TWO TROJAN FILES ("APPLICATION" )
Named: 194302960.exe 34KB, and 2391089152.exe )
Also another "suspect" file: sdglkj90gigfmfgf.tmp 1Kb ) both in that
TEMP folder.

BTW, About a month or so ago, I had the disappearing FOLDERS OPTIONS problem
and someone in here gave me a simple way thru ADMINISTRATOR to put it back
into CONTROL PANEL (like: "right click there, check box here" ) but I don't
recall how it was done.



3. I also was able to ACCESS System Tools/ "SYSTEM RESTORE" in SAFE MODE.

None of the points I tried (4-5) would work at all, so here I am, still
stuck..

Download the two programs just mentioned (SUPERantispyware and
Malwarebytes.) However after you update them be certain to disable any
resident security or antimalware, antispyware programs that may be
running.) Clear out your temporary internet files or caches from any
and all browsers. Once that is done disconnect from the internet and run
both programs allowing them to clear and fix anything that they may
find.

Once competed run a full AV scan with something other than AVG. Eset on
line scan is excellent for this purpose but must be run from Internet
Explorer rather than any other browser that you may use. 'Free ESET
Online Antivirus Scanner'

Once you are satisfied that all is well set a new restore point. If you
have further trouble feel free to visit

You've gotten good advice from a couple of other people who suggested
that you run Malwarebytes to try to fix this, but let me make another
point:

The primary reason for running anti-virus and anti-spyware programs is
to *prevent* infection by malware, not to remove it after you've
gotten infected. Once you are infected it's entirely possible that
enough damage has been done that you can never recover from it.

Moreover, you are talking about multiple infections. Any time you find
yourself in that situation, it becomes highly likely that recovery is
not possible. Doing a clean reinstallation of Windows and starting
from scratch may be your only choice.

After melding/following the advice of 3-4 members here, I first uninstalled
AVG8 which wasn't getting the EVIL out of my laptop

Then I DL, setup and ran
1. Malwarebytes
2. Superantispyware
3. SimplySuperTrojan Remover.

I did these all, both in NORMAL Windows and then in SAFE MODE. (It took
most of the day..LOTS of SCANNING files ;-(

PILES of Trojans and other EVIL such as LOADER100.EXE, LOADER49.EXE,
lmppcsetup.EXE, SHeur2.ADCY, SHeur2.ADDA, Packed.Generic.205,
Backdoor.generic11.HUH and WIN32CRYPTOR turned up, probably 15 or more in
all sorts of places and AFTER I had run a (todays) updated AVG/FIND/REMOVE.

It was finding a few each time and removed them but never apparently the
SOURCE(s) of the trouble.

Once I got all 3 to show CLEAR in SAFE MODE, I restarted Windows normally
and ran two of the 3 again, coming up CLEAR again.

I then DL a fresh, updated AVG 8.5 and installed and ran that too...All
clear (fingers crossed)

Also, as "Turbo" said, the disappeared "FOLDERS OPTIONS" folder returned
both in Control Panel and in C/My Docs/ Tools "Folder Options" after I ran
Simply Super and everything else....NO ADMINISTRATOR Ok required now
;-)

The ONLY thing that still gives me concern is ONE FILE in the C:\Documents
and Settings\Administrator\Local Settings\Temp folder:

its: sdglkj90gjgfmfgf.tmp

It looked like some of the "infected" temp files that had been removed so I
ran a search on GOOGLE for it which gave me this site and warning:

(which appreared in Spain & the USA on Apr 24/09)

which led to this:

"One or more files with the name SJG9S8GUIGJS.DLL creates, deletes, copies
or moves the following files and folders:

a.. Creates c:\docume~1\user\locals~1\temp\sdglkj90gjgfmfgf.tmp "
b..
ANYWAY, did a total system search for the SJG9S8GUIGJS.DLL but it was
negative so I don't know why/where the

<sdglkj90gjgfmfgf.tmp> file comes from.

I highlighted it and had both trojan fixer/finders have a look at it but
neither recognized it as a threat.
I've deleted it..

Anyway, MANY thanks to Turbo, BeeCeeBee, and DAve L for your help..
adios

You would be best advised to wipe that computer and reinstall from
scratch. WIth so many things, you really have no idea if your computer
is actually clean or just clean of what can be detected.

I could see not wiping if it was just ad-ware, but you've got more than
just a couple thing - since no antimalware product gets the latest
malware, I would strongly encourage you to backup your files and
important data and then wipe the computer and reinstall from scratch in
a clean environment.

OK you unistalled AVG. You *NEED* an anti virus solution.

I strongly suggest Avira AntiVir. Once installed perform a full scan again.

When you recommend AntiVir, you should also recommend the site that
has the instructions on how to rid oneself of the AntiVir nag screen.

Mine started throwing up a new nag yesterday to get v9. Must upgrade & redo
the tweak...

Looks like the EliteKiller guidelines might need updating iro v9. For
instance:

I have v9 on this vista machine AND on my XP notebook. No nag. No
splash.

Only if asked.

Glad we are getting close now to having it solved.

Try this.
get into SAFE MODE . Navigate thru windows explorer to C:\Documents and
Settings\Administrator\Local Settings\Temp folder:

Right click on Temp Folder , and check if there is something like 'Scan for
Virus' or check for Virus' or 'Virus scan' .. The wording will be different
because the programs you are are using I am not too familiar with. If you
can get a Virus scan from here , that should find it.

or

go back to normal windows mode and try a 'house call' from TREND

Follow the instructions and it will install a small program on your computer
, so when it asks if its OK to downlaod, click Yes ... It will self run and
take a couple of hours depending on the drive size and how much is on there.

or

get into SAFE MODE . Navigate thru windows explorer to C:\Documents and
Settings\Administrator\Local Settings\Temp folder:
right click on Temp Folder and from the menu try 'cut' or 'delete' . There
is nothing in that folder that will not be re-created when needed. It will
remove the cookies that the computer uses to log in to places like Yahoo,
mGoogle , Ebay etc and you will need to re-enter those when needed.

or

Open you browser ( offline is always best as the Virus can't re-download
itself as some of these things do.) - click 'work offline' and go to (
assuming IE) Tools > Internet Options > General Tab and find 'Browsing
History' and click DELETE. This should wipe the Temp Folder except for the
DAT file in there , which is no problem to leave it as is. Make sure your
antivirus is running before doing this , and if the virus is activated by
the DELETE action , the AV should grab it and quarantine.

or

will your AV scan in DOS mode...If it will restart the computer in 'command
prompt' mode and then type in the full address

Let us know how you get on, BUT don't give up at this stage. Personally , I
would not wipe the computer and re-install.

ONE FINAL SUGGESTION....
Try another Anti Virus, as not every one will find every virus.
download the correct version of the TREND AV for your computer ( still
running your AV at the moment).
Once downloaded say to your desktop , go offline, and uninstall your own AV
.. Install TREND free trials ( which work for 30 days) , restart your PC and
check its working ( little ICON next the clock) .
Go back online and update it to the latest tables ( which it will do three
times only) . Go Offline, and scan in normal mode. , then restart in safe
mode and scan again . Scan again until the scan is completely clear.
Uninstall TREND and re-install your preffered AV - hopefully with a working
computer.
Personally I would do one other thing , and that is turn off the 'RESTORE'
function- viruse often hide in there. Right click on the desktop icon for MY
COMPUTER and right click on properties. Click on the SYSTEM RESTORE tab, and
put a tick in the 'Turn off system restore on all drives'
Once you are happy and convinced that its working again turn RESTORE back on
by reversing the process

For XP Pro

{ NOTE: Lines may/will wrap ! }

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe\" /min /nosplash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{70e5e27d-5c91-441c-a92c-6d8bbd008efe}]
"LastModified"=hex(b):7a,bf,69,28,13,fc,c8,01
"Description"=""
"SaferFlags"=dword:00000000
"ItemData"="C:\\Program Files\\AntiVir PersonalEdition Classic\\avnotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{878c836b-49b8-48f3-9509-bf3c0aaf1df6}]
"LastModified"=hex(b):a6,07,dd,1f,3f,c8,c9,01
"Description"=""
"SaferFlags"=dword:00000000
"ItemData"="C:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}]
"Description"=""
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,48,00,4b,00,45,00,59,00,5f,00,43,00,55,00,52,00,52,00,\
45,00,4e,00,54,00,5f,00,55,00,53,00,45,00,52,00,5c,00,53,00,6f,00,66,00,74,\
00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,\
66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,\
00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,\
5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,53,00,68,00,65,\
00,6c,00,6c,00,20,00,46,00,6f,00,6c,00,64,00,65,00,72,00,73,00,5c,00,43,00,\
61,00,63,00,68,00,65,00,25,00,4f,00,4c,00,4b,00,2a,00,00,00
"LastModified"=hex(b):07,55,27,b6,c5,af,c8,01

I initially uninstalled the OLD 8.0 Ver of AVG..Following all the
Anti-Spy/Malware scans [5-6] coming up clear, I DL and Installed the Newest
8.5 Ver of AVG and its updates (including today's). Would that suffice or
do I "need" AVIRA ?

AVG and Avira AntiVir are parallel products. Both are anti virus applications. However,
it is my opinion that Avira AntiVir is superior to AVG.

You have AVG 8.5 installed you might as well stick with it.

Here is something you supplement AVG. My Multi AV Scanning Tool has four anti virus On
Demand scanners. One of them is Trend Micro Sysclean which uses the same signatures as
Trend Micro Housecall which was previously suggested.


Download MULTI_AV.EXE from the URL --


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

I ran SuperAntiSpyware, TR678 (SimplySuper) Trojan remover twice today, I
also DL and re-installed the Newest Ver of AVG 8.5 updated to today.
I further Uninstalled my old' Spybot S&D and DL/installed the newest
Version, updated and ran it earlier today.

Then

ALL DONE AS YOU SUGGESTED:

Selected TREND to do the Job.

RESULTS:

1. TREND Virus Scan Ver 28/04/09

43079 Read
43079 Checked
43052 Scanned
107809 Scanned Incl Archived

Virus Type files = 0

2. Trend Command Line (Spyware) Scanner
Scanned Suspect

Programs 414 0
Internet Cookies None 0
WinRegistry 37317 0
Net URL shortcuts 629 0
Hosts Files None 0
Files/Directories 5432 0

Detected 0 items

This mirrrors the results from the other 2 Spyware scanners, AVG 8.5 w/
29/04/09 update and Spybot S&D.
The locking, slowing, failure to load URLs, and vanished FOLDER OPTIONS:
all the things that were going wrong for the last 3-4 days seems to have
been fixed.

That said, when I got home (where I've got Avira and that pop-up) I checked
and I'm already running version 9. It's not the usual mid-screen "GO PRO!!!"
annoyance which the Elitekiller site (inter alia) details the disabling of
but a smaller one, down at the bottom right.

I'll try the latest download from the Avira website on a new install on
another PC I'm doing, try out the secpol.msc fix, and look at the reg tweaks
if necessary - for which, thanks.